Research On Detection Method Of Java Deserialization Vulnerability Call Chain Based On Graph Network

The rapid development of the Internet has prompted the gradual Internetization of different fields such as medical care,finance,entertainment,and shopping.Software can be seen everywhere in people’s lives.Software vulnerabilities are not uncommon,and they have seriously endangered the economy of the country and society,and affected people’s normal life.Among the many types of vulnerabilities,Java deserialization vulnerabilities have been on the rise since 2015.Because they are easily exploited illegally,they have become one of the most threatening software vulnerabilities.Before the deserialization vulnerabilities are discovered,the third-party public component library used by the software can be detected,which can detect and prevent potential deserialization vulnerabilities in advance.At present,the existing deserialization vulnerability call chain detection mainly includes two detection methods based on rule matching and based on taint analysis.The former cannot find unknown deserialization vulnerabilities call chain by using whitelist or blacklist methods,while the latter has a high rate of false negatives and false positives due to its limited ability to detect vulnerability call chains.In order to solve the limitations of existing detection methods,improve the accuracy of deserialization vulnerability detection,and reduce the false positive rate,this thesis proposes a call chain detection method for Java deserialization vulnerability based on graph network,Serial Finder,which fully expresses the semantic information of the call chain of deserialization vulnerability by means of graph structure,trains a graph isomorphic network model,and detects call chains for potential deserialization vulnerabilities.The main contributions of this thesis are as follows:(1)In order to solve the problem that the sample data required for the training of the Java deserialization vulnerability call chain detection model is seriously lacking,this thesis designs a call chain subgraph extraction method based on multi-relational edges,and collects a large number of call chain subgraphs as the training data set of the model,which lays a solid foundation for the training of the Java deserialization vulnerability call chain detection model.(2)In order to reduce the false positive rate of call chain detection for deserialization vulnerabilities,a method for detecting call chains of Java deserialization vulnerabilities based on graph neural network,Serial Finder,is proposed.By extending the structure of the graph neural network and adding six kinds of call edge relationships to the call chain subgraph,the deserialization vulnerability detection scheme based on the multi-relational edge graph neural network is implemented,and the accuracy of the call chain detection of deserialization vulnerabilities is improved.(3)Based on the Serial Finder method,an automated Java deserialization vulnerability call chain detection prototype system is designed and implemented,and time performance and hit rate experiments are performed on multiple third-party public component libraries,and compared with Gadget Inspector,a recent Java deserialization vulnerability gadget chain detection method.Experimental results show that Serial Finder has an average hit rate of 39%on multiple public component libraries,which is 24% higher than Gadget Inspector.